CVE-2020-15238

{"id": "CVE-2020-15238", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.7, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2020-10-27T19:15:12.237", "references": [{"url": "http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "security-advisories@github.com"}, {"url": "https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blueman-project/blueman/releases/tag/2.1.4", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00005.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/", "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202011-11", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.debian.org/security/2020/dsa-4781", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/blueman-project/blueman/releases/tag/2.1.4", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00005.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202011-11", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2020/dsa-4781", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-88"}]}], "descriptions": [{"lang": "en", "value": "Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules."}, {"lang": "es", "value": "Blueman es un GTK+ Bluetooth Manager. En Blueman versiones anteriores a 2.1.4, el m\u00e9todo DhcpClient de la interfaz D-Bus en el mecanismo blueman es propenso a una vulnerabilidad de inyecci\u00f3n de argumentos. El impacto depende en gran medida de la configuraci\u00f3n del sistema. Si Polkit-1 est\u00e1 deshabilitado y para versiones inferiores a 2.0.6, cualquier usuario local posiblemente puede explotar esto. Si Polkit-1 est\u00e1 habilitado para la versi\u00f3n 2.0.6 y posteriores, un posible atacante debe poder usar la acci\u00f3n \"org.blueman.dhcp.client\". Eso est\u00e1 limitado a los usuarios en el grupo wheel en el archivo de reglas enviado que tienen los privilegios de cualquier manera. En los sistemas con el cliente DHCP de ISC (dhclient), unos atacantes pueden pasar argumentos a \"ip link\" con el nombre de la interfaz que, por ejemplo, puede usarse para desactivar una interfaz o agregar un programa XDP/BPF arbitrario. En sistemas con dhcpcd y sin cliente ISC DHCP, los atacantes pueden incluso ejecutar scripts arbitrarios pasando \"-c/path/to/script\" como nombre de la interfaz. Los parches son incluidos en versi\u00f3n 2.1.4 y el maestro que cambia los m\u00e9todos DhcpClient D-Bus acepta rutas de objetos de red BlueZ en lugar de nombres de interfaz de red. Tambi\u00e9n est\u00e1 disponible un backport hasta versi\u00f3n 2.0(.8). Como soluci\u00f3n alternativa, aseg\u00farese de que Polkit-1-support est\u00e9 habilitado y limite los privilegios para la acci\u00f3n \"org.blueman.dhcp.client\" a usuarios que pueden ejecutar comandos arbitrarios como root de cualquier manera en /usr/share/ polkit-1 /rules.d/blueman.rules"}], "lastModified": "2024-11-21T05:05:09.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blueman_project:blueman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C9B46B2-63AD-4EB8-B031-585524C1E7F3", "versionEndExcluding": "2.1.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}